WebSpell Authentication Bypass and arbitrary code execution
Vendor : WebSpell
URL : http://www.webspell.org/
Version : All
Risk : SQL Injection, unchecked file upload
Description:
webSPELL is a free Content Management System (CMS) for clans and gaming
communities, providing all needed features like forums,
gallery, clanwar system. Because of some serious flaws in the login and
cookie-handling function, login can be easily bypassed and
arbitrary php code executed via uploading a php file.
Notes: magic_quotes_gpc() has to be set OFF
Details:
Due to an SQL Injection via the sended 'ws_auth' cookie, WebSpell is vulnerable
to an Authentication Bypass.
$login_per_cookie = false;
if(isset($_COOKIE['ws_auth']) AND !isset($_SESSION['ws_auth'])) {
$login_per_cookie = true;
$_SESSION['ws_auth'] = $_COOKIE['ws_auth'];
}
systeminc('login');
[...]
if(stristr($_SESSION['ws_auth'], "userid")===FALSE){
$authent = explode(":", $_SESSION['ws_auth']);
$ws_user = $authent[0];
$ws_pwd = $authent[1];
$check = safe_query("SELECT userID FROM ".PREFIX."user WHERE
userID='$ws_user' AND password='$ws_pwd'");
while($ds=mysql_fetch_array($check)) {
$loggedin=true;
$userID=$ds['userID'];
}
}
As seen in the above codee, the Cookie 'ws_auth' is divided into two parts: The
userid and the password.
With the following cookie you can bypass this function and login as
admin(userid 1):
1;' OR '1'='1
When 'logged in' an PHP-file with arbitrary code can be uploaded via the "add
squad" feature.
Solution:
Use mysql_real_escape_String() or addslashes() for the safe_query()
Credits:
Robin Verton < r.verton at gmail com>
|